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CLAIMS 

What is claimed is: 

1 . A method for providing a unique identification of monitored network data 
instances flowing across various connections between networked devices, the unique 
5 identification being derived from information contained entirely within each instance of the 
network data, the method comprising: 

using at least one monitoring device to monitor a network data instance flowing 
across at least one data connection; 

deriving from the data instance certain information which collectively provides a 
1 0 unique identification of the network data instance; 

assembling the derived information into an input string for a hash function; and 

using the output string of the hash function as a signature which represents a unique 
identifier of the network data instance. 



1 5 2. The method according to Claim 1 , wherein the deriving step includes: 

deriving from the data instance a source and destination address for the data; 

deriving from the data instance a source and destination port associated with the 
networked devices; 

deriving from the data instance at least one sequence number associated with data 
20 instance; 



3. The method according to Claim 1, which further includes: 

attaching the signature to at least one data report associated with the network data 
instance; and 
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transmitting the data reports and signatures from each monitoring device to a central 
collecting device. 

4. The method according to Claim 3, wherein a timestamp is further associated 
5 with each data report before it is transmitted to the central collector. 

5. The method according to Claim 3, wherein the central collecting device uses 
the signatures to eliminate duplicate data reports that might come in from different 
monitoring devices positioned at different locations on the network. 

_10 

4* 6. The method according to Claim 1 , wherein network data instances are data 

Uj packets as part of a TCP/IP (Transmission Control Protocol/Internet Protocol) client-server 

. f * network. 

151 

1 5 7. The method according to Claim 6, wherein the source and destination 

Jt: addresses include a client IP address and a server IP address. 

8. The method according to Claim 7, wherein the source and destination port 
include a client port number and a server port number. 

20 

9. The method according to Claim 8 ? wherein the at least one sequence number 
includes a client sequence number or a server sequence number 
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10. The method according to Claim 9, wherein the at least one sequence number 
includes both a client sequence number and a server sequence number. 



1 1 . The method according to Claim 2, wherein the input string information does 
5 not include sequence numbers. 

12. The method according to Claim 11, wherein the network data instances are 
datagrams as part of a UDP/IP (User Datagram Protocol/Internet Protocol) network. 



7: 10 13. The method according to Claim 1, which further includes: truncating the 

4; signature to include fewer bits than the hash function output string. 

^ 14. The method according to Claim 1, which further includes: adding flag bits to 

H the signature which indicate the type of application associated with the network data 

Li 15 instance. 



15. The method according to Claim 3, wherein the monitor serves as a data 
reduction device for data report and signature information being sent to the central data 
collector. 
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16. The method according to Claim 1 , wherein the monitoring device operates to 
directly monitor the network data. 
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17. The method according to Claim 1, wherein the monitoring device operates to 
indirectly monitor the network data. 

18. An apparatus for providing a unique identification of monitored network data 
instances flowing across various connections between networked devices, the unique 
identification being derived from information contained entirely within each instance of the 
network data, the apparatus comprising: 

at least one monitoring device positioned to monitor a network data instance flowing 
across at least one data connection; 

a hash function device having an input string and an output string, the input string 
assembled from certain information derived from the network data instance, the information 
collectively providing a unique identification of the network data instance; 

wherein the output string is used as a signature which represents a unique identifier of 
the network data instance. 

19. The apparatus according to Claim 18, wherein information derived from the 
network data instance includes at least: 

a source and destination address derived from the network data instance; 

a source and destination port associated with the networked devices; and 

at least one sequence number associated with network data instance. 

20. The apparatus according to Claim 18, which further includes: 

at least one data report associated with the network data instance, the signature being 
attached to the data report; and 
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a central collection device that receives transmitted data reports and signatures from 
each monitoring device. 

2 1 . The apparatus according to Claim 20, wherein a timestamp is further 
associated with each data report before it is transmitted to the central collector. 

22. The apparatus according to Claim 20, wherein the central collecting device 
uses the signatures to eliminate duplicate data reports that might come in from different 
monitoring devices positioned at different locations on the network. 

23. The apparatus according to Claim 18, wherein network data instances are data 
packets as part of a TCP/IP (Transmission Control Protocol/Internet Protocol) client-server 
network. 

24. The apparatus according to Claim 23, wherein the source and destination 
addresses include a client IP address and a server IP address. 

25. The apparatus according to Claim 24, wherein the source and destination port 
include a client port number and a server port number. 

26. The apparatus according to Claim 25, wherein the at least one sequence 
number includes a client sequence number or a server sequence number. 
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27. The apparatus according to Claim 26, wherein the at least one sequence 
number also includes both a client sequence number and a server sequence number. 

28. The apparatus according to Claim 19, wherein the input string information 
5 does not include sequence numbers. 

29. The apparatus according to Claim 28, wherein the network data instances are 
datagrams as part of a UDP/IP (User Datagram Protocol/Internet Protocol) network. 

30. The method according to Claim 18, wherein the signature is truncated to 
include fewer bits than the hash function output string. 

3 1 . The method according to Claim 1 8, wherein flag bits are added to the 
signature which indicate the type of application associated with the network data instance. 

32. The method according to Claim 20, wherein the monitor serves as a data 
reduction device for data report and signature information being sent to the central data 
collector. 

20 33. A method for providing a unique signature of monitored network data packets 

flowing across various connections between networked devices, the unique signature being 
derived from information contained entirely within each instance of the network data packet, 
the method comprising: 

using at least one monitoring device to monitor a network data packet flowing across 
25 at least one data connection; 

28 





•J 

5465 



deriving from the data packet a source and destination address for the data; 

deriving from the data packet a source and destination port associated with the 
networked devices; 

deriving from the data packet at least one sequence number associated with data 
5 instance; 

assembling the derived addresses, ports, and at least one sequence number 
information into an input string for a hash function; and 

using the output string of the hash function as the signature which represents a unique 
identifier of the network data packet. 

1 0 attaching the signature to at least one data report associated with the network data 

packet; and 

transmitting the data reports and signatures from each monitoring device to a central 
collecting device for analysis. 
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